IIS 7 and Above
IIS custom application pool user not able to access certificates
Last post Apr 21, 2021 02:08 AM by samwu
Apr 20, 2021 10:33 PM|dianepana|LINK
I have a web application running on an on-prem server using IIS 10 and dotnet 2.1. I am trying to use a certificate managed in the Windows certificate store to authenticate to KeyVault.
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
var certs = store.Certificates.Find(
var credential = new ClientCertificateCredential(
secretsClient = new SecretClient(
I have also tried the following variants:
var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
var store = new X509Store(StoreLocation.CurrentUser);
No matter which combination I try, I am getting the following error from certs.OfType<>.Single() : "Sequence contains no elements"
This implies to me that the application can't access the certificates. The application pool is running using a custom account ("domain\user"), not one of the build in account types (ApplicationPoolIdentity, LocalSystem, etc).
I've found many guides on how to grant the ApplicationPoolIdentity account access to a certificate, but none for a custom account. I tried giving full control to the custom account ("email@example.com") but I'm still getting the error.
Can anybody help me figure out what is going on with this?
Apr 21, 2021 02:08 AM|samwu|LINK
I am getting the following error from certs.OfType<>.Single() : "Sequence contains no elements"
This error means you want to fetch data from a null, you can try to use SingleOrDefault instead of Single.